Vendor blueprint · prerelease
Databricks Lakewatch — open, agentic SIEM
Announced March 24, 2026, Private Preview. Databricks publicly positions Lakewatch on Unity Catalog, Delta Lake, and Apache Iceberg — open table formats throughout, with OCSF on the Silver layer. Agentic triage (Mosaic AI + Anthropic Claude), Detection-as-Code, Genie NL-to-SQL.
What ships today
Open Agentic SIEM on Unity Catalog. OCSF on the Silver layer. Lakeflow Declarative Pipelines + Expectations for data quality. Lakebase (serverless Postgres) for case management. DASF 2.0 (62 risks / 64 controls) as the governance overlay.
What doesn't ship yet
First-party asset / identity graph. Productized OCSF conformance (the DataBahn whitespace). CISO-language maturity model. Lakehouse-fluent buyer enablement curriculum. These are the partner and PS gaps where independent practitioners add value.
What it changes for architects
"Lakehouse-native security" stops being a self-build conversation. Reference architectures move from one-off engagements to a vendor-supported product motion. The TAM widens, and the buyer-education gap widens with it.
The honest critique
HFS Research: 80% TCO reads as "more efficient, not automatically cheaper." Hugo Lu: "build your own SIEM" is structurally different from the GTM Splunk built its base on. InfoTech: reframe as existing-infrastructure utilization, not net-new vendor. All three are landings to plan for, not pitches to repeat.
Two acquisitions closed into launch: Antimatter (agent AuthN/AuthZ) and SiftD.ai (SPL → Lakewatch translation by the original SPL author).
Sources: Databricks Lakewatch announcement (2026-03-24, Private Preview); HFS Research / Hugo Lu / InfoTech analyst commentary. Essay: /writing/ai/nanda-automation (Lakewatch worked example).